swift kilo版代码更新

今天重新搭建swift服务器，git下代码后一时好奇，进入kilo/stable branch后，与四个月前下载的swift/kilo版本做了个比较。使用diff命令完成。发现代码还是略有区别。

diff -r -u -N --new-file swift/swift/common/bufferedhttp.py swift-kilo/swift/common/bufferedhttp.py
--- swift/swift/common/bufferedhttp.py	2015-09-18 15:30:03.730723515 +0800
+++ swift-kilo/swift/common/bufferedhttp.py	2015-09-18 16:43:36.283386102 +0800
@@ -27,19 +27,14 @@
 """
 from swift import gettext_ as _
-from swift.common import constraints
 from urllib import quote
 import logging
 import time
 import socket
-import eventlet
 from eventlet.green.httplib import CONTINUE, HTTPConnection, HTTPMessage, \
     HTTPResponse, HTTPSConnection, _UNKNOWN
-httplib = eventlet.import_patched('httplib')
-httplib._MAXHEADERS = constraints.MAX_HEADER_COUNT
-
 class BufferedHTTPResponse(HTTPResponse):
     """HTTPResponse class that buffers reading of headers"""
diff -r -u -N --new-file swift/swift/common/constraints.py swift-kilo/swift/common/constraints.py
--- swift/swift/common/constraints.py	2015-09-18 15:30:03.730723515 +0800
+++ swift-kilo/swift/common/constraints.py	2015-09-18 16:43:36.259385971 +0800
@@ -36,7 +36,6 @@
 MAX_ACCOUNT_NAME_LENGTH = 256
 MAX_CONTAINER_NAME_LENGTH = 256
 VALID_API_VERSIONS = ["v1", "v1.0"]
-EXTRA_HEADER_COUNT = 0
 # If adding an entry to DEFAULT_CONSTRAINTS, note that
 # these constraints are automatically published by the
@@ -55,7 +54,6 @@
     'max_account_name_length': MAX_ACCOUNT_NAME_LENGTH,
     'max_container_name_length': MAX_CONTAINER_NAME_LENGTH,
     'valid_api_versions': VALID_API_VERSIONS,
-    'extra_header_count': EXTRA_HEADER_COUNT,
 }
 SWIFT_CONSTRAINTS_LOADED = False
@@ -107,13 +105,6 @@
                        'xml': 'application/xml'}
-# By default the maximum number of allowed headers depends on the number of max
-# allowed metadata settings plus a default value of 32 for regular http
-# headers.  If for some reason this is not enough (custom middleware for
-# example) it can be increased with the extra_header_count constraint.
-MAX_HEADER_COUNT = MAX_META_COUNT + 32 + max(EXTRA_HEADER_COUNT, 0)
-
-
 def check_metadata(req, target_type):
     """
     Check metadata sent in the request headers.  This should only check
diff -r -u -N --new-file swift/swift/common/middleware/tempurl.py swift-kilo/swift/common/middleware/tempurl.py
--- swift/swift/common/middleware/tempurl.py	2015-09-18 15:30:03.738723545 +0800
+++ swift-kilo/swift/common/middleware/tempurl.py	2015-09-18 16:43:36.243385885 +0800
@@ -122,13 +122,11 @@
 from urlparse import parse_qs
 from swift.proxy.controllers.base import get_account_info, get_container_info
-from swift.common.swob import HeaderKeyDict, HTTPUnauthorized, HTTPBadRequest
+from swift.common.swob import HeaderKeyDict, HTTPUnauthorized
 from swift.common.utils import split_path, get_valid_utf8_str, \
     register_swift_info, get_hmac, streq_const_time, quote
-DISALLOWED_INCOMING_HEADERS = 'x-object-manifest'
-
 #: Default headers to remove from incoming requests. Simply a whitespace
 #: delimited list of header names and names can optionally end with '*' to
 #: indicate a prefix match. DEFAULT_INCOMING_ALLOW_HEADERS is a list of
@@ -152,10 +150,6 @@
 DEFAULT_OUTGOING_ALLOW_HEADERS = 'x-object-meta-public-*'
-CONTAINER_SCOPE = 'container'
-ACCOUNT_SCOPE = 'account'
-
-
 def get_tempurl_keys_from_metadata(meta):
     """
     Extracts the tempurl keys from metadata.
@@ -176,38 +170,6 @@
         quote(filename, safe=' /'), quote(filename))
-def authorize_same_account(account_to_match):
-
-    def auth_callback_same_account(req):
-        try:
-            _ver, acc, _rest = req.split_path(2, 3, True)
-        except ValueError:
-            return HTTPUnauthorized(request=req)
-
-        if acc == account_to_match:
-            return None
-        else:
-            return HTTPUnauthorized(request=req)
-
-    return auth_callback_same_account
-
-
-def authorize_same_container(account_to_match, container_to_match):
-
-    def auth_callback_same_container(req):
-        try:
-            _ver, acc, con, _rest = req.split_path(3, 4, True)
-        except ValueError:
-            return HTTPUnauthorized(request=req)
-
-        if acc == account_to_match and con == container_to_match:
-            return None
-        else:
-            return HTTPUnauthorized(request=req)
-
-    return auth_callback_same_container
-
-
 class TempURL(object):
     """
     WSGI Middleware to grant temporary URLs specific access to Swift
@@ -268,10 +230,6 @@
         #: The methods allowed with Temp URLs.
         self.methods = methods
-        self.disallowed_headers = set(
-            'HTTP_' + h.upper().replace('-', '_')
-            for h in DISALLOWED_INCOMING_HEADERS.split())
-
         headers = DEFAULT_INCOMING_REMOVE_HEADERS
         if 'incoming_remove_headers' in conf:
             headers = conf['incoming_remove_headers']
@@ -340,10 +298,10 @@
             return self.app(env, start_response)
         if not temp_url_sig or not temp_url_expires:
             return self._invalid(env, start_response)
-        account, container = self._get_account_and_container(env)
+        account = self._get_account(env)
         if not account:
             return self._invalid(env, start_response)
-        keys = self._get_keys(env)
+        keys = self._get_keys(env, account)
         if not keys:
             return self._invalid(env, start_response)
         if env['REQUEST_METHOD'] == 'HEAD':
@@ -358,32 +316,15 @@
         else:
             hmac_vals = self._get_hmacs(env, temp_url_expires, keys)
-        is_valid_hmac = False
-        hmac_scope = None
-        for hmac, scope in hmac_vals:
-            # While it's true that we short-circuit, this doesn't affect the
-            # timing-attack resistance since the only way this will
-            # short-circuit is when a valid signature is passed in.
-            if streq_const_time(temp_url_sig, hmac):
-                is_valid_hmac = True
-                hmac_scope = scope
-                break
+        # While it's true that any() will short-circuit, this doesn't affect
+        # the timing-attack resistance since the only way this will
+        # short-circuit is when a valid signature is passed in.
+        is_valid_hmac = any(streq_const_time(temp_url_sig, hmac)
+                            for hmac in hmac_vals)
         if not is_valid_hmac:
             return self._invalid(env, start_response)
-        # disallowed headers prevent accidently allowing upload of a pointer
-        # to data that the PUT tempurl would not otherwise allow access for.
-        # It should be safe to provide a GET tempurl for data that an
-        # untrusted client just uploaded with a PUT tempurl.
-        resp = self._clean_disallowed_headers(env, start_response)
-        if resp:
-            return resp
         self._clean_incoming_headers(env)
-
-        if hmac_scope == ACCOUNT_SCOPE:
-            env['swift.authorize'] = authorize_same_account(account)
-        else:
-            env['swift.authorize'] = authorize_same_container(account,
-                                                              container)
+        env['swift.authorize'] = lambda req: None
         env['swift.authorize_override'] = True
         env['REMOTE_USER'] = '.wsgi.tempurl'
         qs = {'temp_url_sig': temp_url_sig,
@@ -424,23 +365,22 @@
         return self.app(env, _start_response)
-    def _get_account_and_container(self, env):
+    def _get_account(self, env):
         """
-        Returns just the account and container for the request, if it's an
-        object request and one of the configured methods; otherwise, None is
+        Returns just the account for the request, if it's an object
+        request and one of the configured methods; otherwise, None is
         returned.
         :param env: The WSGI environment for the request.
-        :returns: (Account str, container str) or (None, None).
+        :returns: Account str or None.
         """
         if env['REQUEST_METHOD'] in self.methods:
             try:
                 ver, acc, cont, obj = split_path(env['PATH_INFO'], 4, 4, True)
             except ValueError:
-                return (None, None)
+                return None
             if ver == 'v1' and obj.strip('/'):
-                return (acc, cont)
-        return (None, None)
+                return acc
     def _get_temp_url_info(self, env):
         """
@@ -470,23 +410,18 @@
             inline = True
         return temp_url_sig, temp_url_expires, filename, inline
-    def _get_keys(self, env):
+    def _get_keys(self, env, account):
         """
         Returns the X-[Account|Container]-Meta-Temp-URL-Key[-2] header values
-        for the account or container, or an empty list if none are set. Each
-        value comes as a 2-tuple (key, scope), where scope is either
-        CONTAINER_SCOPE or ACCOUNT_SCOPE.
+        for the account or container, or an empty list if none are set.
         Returns 0-4 elements depending on how many keys are set in the
         account's or container's metadata.
         :param env: The WSGI environment for the request.
-        :returns: [
-            (X-Account-Meta-Temp-URL-Key str value, ACCOUNT_SCOPE) if set,
-            (X-Account-Meta-Temp-URL-Key-2 str value, ACCOUNT_SCOPE if set,
-            (X-Container-Meta-Temp-URL-Key str value, CONTAINER_SCOPE) if set,
-            (X-Container-Meta-Temp-URL-Key-2 str value, CONTAINER_SCOPE if set,
-        ]
+        :param account: Account str.
+        :returns: [X-Account-Meta-Temp-URL-Key str value if set,
+                   X-Account-Meta-Temp-URL-Key-2 str value if set]
         """
         account_info = get_account_info(env, self.app, swift_source='TU')
         account_keys = get_tempurl_keys_from_metadata(account_info['meta'])
@@ -495,28 +430,25 @@
         container_keys = get_tempurl_keys_from_metadata(
             container_info.get('meta', []))
-        return ([(ak, ACCOUNT_SCOPE) for ak in account_keys] +
-                [(ck, CONTAINER_SCOPE) for ck in container_keys])
+        return account_keys + container_keys
-    def _get_hmacs(self, env, expires, scoped_keys, request_method=None):
+    def _get_hmacs(self, env, expires, keys, request_method=None):
         """
         :param env: The WSGI environment for the request.
         :param expires: Unix timestamp as an int for when the URL
                         expires.
-        :param scoped_keys: (key, scope) tuples like _get_keys() returns
+        :param keys: Key strings, from the X-Account-Meta-Temp-URL-Key[-2] of
+                     the account.
         :param request_method: Optional override of the request in
                                the WSGI env. For example, if a HEAD
                                does not match, you may wish to
                                override with GET to still allow the
                                HEAD.
-
-        :returns: a list of (hmac, scope) 2-tuples
         """
         if not request_method:
             request_method = env['REQUEST_METHOD']
-        return [
-            (get_hmac(request_method, env['PATH_INFO'], expires, key), scope)
-            for (key, scope) in scoped_keys]
+        return [get_hmac(
+            request_method, env['PATH_INFO'], expires, key) for key in keys]
     def _invalid(self, env, start_response):
         """
@@ -533,22 +465,6 @@
             body = '401 Unauthorized: Temp URL invalid\n'
         return HTTPUnauthorized(body=body)(env, start_response)
-    def _clean_disallowed_headers(self, env, start_response):
-        """
-        Validate the absense of disallowed headers for "unsafe" operations.
-
-        :returns: None for safe operations or swob.HTTPBadResponse if the
-                  request includes disallowed headers.
-        """
-        if env['REQUEST_METHOD'] in ('GET', 'HEAD', 'OPTIONS'):
-            return
-        for h in env:
-            if h in self.disallowed_headers:
-                return HTTPBadRequest(
-                    body='The header %r is not allowed in this tempurl' %
-                    h[len('HTTP_'):].title().replace('_', '-'))(
-                        env, start_response)
-
     def _clean_incoming_headers(self, env):
         """
         Removes any headers from the WSGI environment as per the
diff -r -u -N --new-file swift/swift/proxy/server.py swift-kilo/swift/proxy/server.py
--- swift/swift/proxy/server.py	2015-09-18 15:30:03.754723606 +0800
+++ swift-kilo/swift/proxy/server.py	2015-09-18 16:43:36.111385171 +0800
@@ -378,7 +378,6 @@
                 allowed_methods = getattr(controller, 'allowed_methods', set())
                 return HTTPMethodNotAllowed(
                     request=req, headers={'Allow': ', '.join(allowed_methods)})
-            old_authorize = None
             if 'swift.authorize' in req.environ:
                 # We call authorize before the handler, always. If authorized,
                 # we remove the swift.authorize hook so isn't ever called
@@ -389,7 +388,7 @@
                 if not resp and not req.headers.get('X-Copy-From-Account') \
                         and not req.headers.get('Destination-Account'):
                     # No resp means authorized, no delayed recheck required.
-                    old_authorize = req.environ['swift.authorize']
+                    del req.environ['swift.authorize']
                 else:
                     # Response indicates denial, but we might delay the denial
                     # and recheck later. If not delayed, return the error now.
@@ -399,13 +398,7 @@
             # gets mutated during handling.  This way logging can display the
             # method the client actually sent.
             req.environ['swift.orig_req_method'] = req.method
-            try:
-                if old_authorize:
-                    req.environ.pop('swift.authorize', None)
-                return handler(req)
-            finally:
-                if old_authorize:
-                    req.environ['swift.authorize'] = old_authorize
+            return handler(req)
         except HTTPException as error_response:
             return error_response
         except (Exception, Timeout):

其中，swift目录为最新版本的swift kilo/stable中源码；swift-kilo目录为四个月前下载的源码。

从上面的比较中，可以看出两个时段的代码略有区别，差异在百来行左右，主要集中于tempurl中间件代码中。这部分，与我动手修改的部分关系不大。唯一稍稍有关的代码更新，可能就是proxy server中代码更新。但仔细研究后发现，就是对旧的认证入口函数做了一个保存，在返回产生异常时，利用旧认证函数对env中认证函数进行赋值。相当于对代码逻辑的小小完善，对整体大流程不会有影响。

我想，我可以放心在最新kilo分支代码上进行修改，并利用它搭建系统，进行压力测试。